Author: syss

Let’s get started with Let’s Encrypt

Let’s Encrypt

Finally it’s here: the chance for people to encrypt their websites free of charge. This can be done with Let’s Encrypt.

Clone the Let’s Encrypt tools

git clone https://github.com/letsencrypt/letsencrypt

Go in the directory

cd letsencrypt/

First time certificate generation

./letsencrypt-auto  certonly –server https://acme-v01.api.letsencrypt.org/directory -a webroot –webroot-path=/var/www/www.sysstem.at –agree-dev-preview -d www.sysstem.at

/var/www/www.sysstem.at is my webroot and -www.sysstem.at is my domain.

Make sure your Webserver ist running on port 80, because Let’s Encrypt places a verification file in your webroot and tries to download it.

Set up your Apache VirtualHost like this

#010-www.sysstem.at.conf
<VirtualHost *:443>
 ServerAdmin admin@sysstem.at
 ServerName www.sysstem.at
 DocumentRoot /var/www/www.sysstem.at


 ErrorLog ${APACHE_LOG_DIR}/www.sysstem.at_error.log
 CustomLog ${APACHE_LOG_DIR}/www.sysstem.at_access.log combined

 SSLEngine on

 SSLCertificateFile /etc/letsencrypt/live/www.sysstem.at/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.sysstem.at/privkey.pem
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

enable the site with

a2ensite 010-www.sysstem.at.conf

You may wonder where I got this huge load of cypher suites in the Apache config. Depending on which kind of site you are hosting you can decide for weaker or stronger suites. I chose the Intermediate from the Mozilla Site.

And make sure, that you forward all http traffic to https. This is important, because the Let’s Encrypt client tries to get the verification file from http. With the redirect the client will be able to get the file with https enabled.

#000-catchall.conf 
<VirtualHost *:80>
 ServerAdmin admin@sysstem.at
 ServerName catchall
 ErrorLog ${APACHE_LOG_DIR}/catchall.log
 LogLevel warn
 CustomLog ${APACHE_LOG_DIR}/catchall_access.log combined
 RewriteEngine On
 # This will enable the Rewrite capabilities
 RewriteCond %{HTTPS} !=on
 # This checks to make sure the connection is not already HTTPS
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

enable the site with

a2ensite 000-catchall.conf

We need to make sure to load every Apache module so that everything in our configuration will work.

Enable the SSL Module and the Rewrite Module with

a2enmod ssl
a2enmod rewrite

Restart the Apache Server

service apache2 restart

Let’s do a SSL-test on our site. SSL-Labs is my tool of choice for this job.

My site has a great score for now:

SSL Test for www.sysstem.at

Now we have a certificate which is not valid for a very long time. This is by intention by Let’s encrypt. The goal is that certificate renewals should be automated. For this I wrote a little script.

Place this script in /opt/letsencrypt as letsencrypt-renew.sh

This script makes sure that you get a new certificate for your website. It also has a check enabled for people with a dynamic IP. In case this script runs and your provider switches the IP before your dynamic DNS service (like dynDNS and noip) gets the information about it, it will end.

#!/bin/bash
export DOMAIN=www.sysstem.at
export DIR=/var/www/www.sysstem.at
export LETSENCRYPT=/opt/letsencrypt

#if Cert older than 30 days and if IP in DNS is current IP
find -L /etc/letsencrypt/live/$DOMAIN/fullchain.pem -mtime +30 | egrep '.*' \
&& if [ `dig +short $DOMAIN | head -1` == `curl canihazip.com/s` ];then
#then renew cert
 mkdir -p $DIR && cd $LETSENCRYPT && ./letsencrypt-auto --renew-by-default certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR -d $DOMAIN
#reload apache with new Cert
 service apache2 reload
fi

Make changes to comply with your website and make the file executable with

chmod +x letsencrypt-renew.sh

Now we check every day if our certificate is up to date. For this open crontab with

crontab -e

and append the following line

0 1 * * * /opt/letsencrypt/letsencrypt-renew.sh

Now you are ready to host your own websites with HTTPS enabled, a valid certificate and good security.

Linux KVM – Error: ioctl(KVM_CREATE_VM) failed: 16 Device or resource busy

When you try to install virtual machine with virt-install or the Virtual Machine Manager you get the following Error:

 

root@syss:~# 
virt-install --connect qemu:///system
--name syss-test
--ram 1024
--disk syss-test.img,size=8
--network=network:default
--vnc
--noautoconsole
--os-type linux
--accelerate
--cdrom /home/syss/Downloads/debian-7.6.0-amd64-netinst.iso
Starting install...
ERROR internal error: Process exited while reading console log output: char device redirected to /dev/pts/45 (label charserial0)
ioctl(KVM_CREATE_VM) failed: 16 Device or resource busy
failed to initialize KVM: Device or resource busy

This is mostly because you have either VirtualBox or VMware running on the same machine. The reason (at least that’s what I think) is that the kernel module of VirtualBox or VMware and KVM can’t take Advantage of Intel VT-x or AMD-V at the same time.

So if you want to run both at the same time you have to deactivate the virtualisation in one of them.

This is a way where you can at least have the machines emulated with QEMU

root@syss:~# 
virt-install --connect qemu:///system
--name syss-test
--ram 1024
--disk syss-test.img,size=8
--network=network:default
--vnc
--noautoconsole
--os-type linux
--accelerate
--cdrom /home/syss/Downloads/debian-7.6.0-amd64-netinst.iso
--virt-type=qemu

Just add –virt-type=qemu at the end. This is not as fast as Intel VT-x or AMD-V but it works in parallell.

Puppet Agent (client) copy-paste script for Debian and Ubuntu

This is a simple script you can copy and paste to your console to install puppet on a new host. You just need to edit the first two lines with the server information and then sign the requested certificate on the puppet master.

# Stefan Süss
# www.sysstem.at
 
#you only need to edit these 2 lines
SERVER_IP=10.0.0.100
SERVER_DNS=puppet.sysstem.at
 
DEBIAN_RLS=$(cat /etc/os-release | grep VERSION= | awk -F '('  '{print $2}' | awk -F ')' '{print $1}')
PUPPET_DEB=puppetlabs-release-$DEBIAN_RLS.deb
PUPPET_CONF=/etc/puppet/puppet.conf
 
#add server IP to hosts
echo "$SERVER_IP  $SERVER_DNS" >> /etc/hosts
#download the right release of puppet
wget https://apt.puppetlabs.com/$PUPPET_DEB
#install the package
dpkg -i $PUPPET_DEB
#update sources
apt-get update
#install puppet. Needs /dev/null . otherwise it would catch the pasted input
apt-get -y install puppet < "/dev/null"
#remove templatedir
sed -i 's/templatedir/#templatedir/g' $PUPPET_CONF
#insert server
#http://www.theunixschool.com/2012/06/insert-line-before-or-after-pattern.html
sed -i "s/.*#templatedir.*/&nserver=${SERVER_DNS}/" $PUPPET_CONF
#start puppet agent for the first time (generates the certificate)
puppet agent --onetime --verbose --no-daemonize --waitforcert 1
 
#newline

You can also find the script here: Github